Privacy.

coil is a software product for tattooers. The site is operated from the United States. References to “we” and “coil” mean the operator of coil.tattoo.

We collect the minimum we need to run your shop on coil:

• Account data: email address, display name, handle, IG handle if you connect Instagram, and any profile copy you save.
• Portfolio data: images you upload or that we pull from your linked Instagram, plus AI-generated tags / bio drafts that you keep or discard.
• Inquiry data from your clients: name, contact info, body-location selection, references, the description of what they want. They give this directly when filling out your inquiry form.
• Payment metadata: Stripe handles all card data. We store Stripe customer / subscription / Connect account IDs, deposit amounts in cents, and timestamps. We never see card numbers.
• Logs and analytics: Sentry for errors, PostHog for product analytics (page views, button clicks, web vitals). IP addresses, user-agents, and session timestamps are part of these.

• To run your account, your site, and the inquiry inbox.
• To send transactional email (magic links, receipts, aftercare reminders) and SMS (phone verification, aftercare).
• To generate AI drafts (bio, FAQ replies) — only on prompts you trigger, only on your own data.
• To detect abuse, fix bugs, and improve the product.
• We do not sell your data, your clients' data, or your portfolio. We don't train external AI on your work without your direct opt-in.

Each artist on coil can claim their own dedicated SMS number provisioned through Twilio. Clients text that number; coil's inbound webhook routes the message to the artist's thread in the dashboard.

Two consent categories. US TCPA rules distinguish between service SMS (appointment reminders, aftercare, deposit links, healed-photo bounty, tip prompts, touch-up windows) and marketing SMS (next-piece nudges, flash drops, guest-spot announcements). Service SMS sends when a client provides their phone number for an appointment-related purpose. Marketing SMS only sends when the client has separately opted in via a dedicated checkbox on the inquiry form. Both categories respect STOP, UNSUBSCRIBE, QUIT,CANCEL, REVOKE, OPT-OUT, and free-form opt-out phrases per FCC rules effective April 11, 2025. Honor period: ten business days, usually within seconds. START resubscribes.

Every SMS coil sends carries the disclosure “Reply STOP to unsubscribe.” Standard message and data rates apply.

When a client texts your coil number with a photo and a message that looks like a healing question, coil's vision model (Anthropic Claude) reads the photo to classify it as healthy, watch, concern, or urgent. Healthy and watch verdicts receive an automatic in-band reply; concern and urgent verdicts get flagged to the artist with the photo attached.

The client's photo and message are stored in your sms_threads so you have the history. The classification verdict is stored alongside. We do not share these photos with third parties beyond the AI provider that returns the verdict, and we do not use them to train any external model.

Coil never holds or routes client funds. Deposits, tips, and balances paid through Stripe Checkout flow direct to the artist's Stripe-Connect account. Coil is a flat-monthly subscription; we take no percentage of payment volume.

Artists may optionally enable a card-processing surcharge that adds a transparent line item to Stripe Checkout for the cardholder. Surcharging legality varies by state; the artist is responsible for compliance with their jurisdiction.

When a client signs a digital consent form for a tattoo or piercing, we capture their signature name, date of birth, medical flags, IP address, user agent, and timestamp. A SHA-256 hash and canonical JSON snapshot of the signed state is stored alongside the consent record as immutable legal evidence. This data is retained for at least seven years to satisfy industry-standard retention expectations.

• Account data: retained while your account is active and for up to 30 days after deletion, then permanently purged.
• SMS threads: retained while your account is active; opt-out records (sms_opt_outs) are retained indefinitely so we honor your clients' revocations.
• Consent records: retained for at least seven years for legal evidence purposes, even after account deletion. We will purge on request where law permits.
• Payment records: retained per Stripe's requirements and US tax rules (typically seven years).
• Logs and analytics: retained 30-90 days depending on the system.

These vendors process data on our behalf. Each one has its own privacy policy you can read.

• Vercel — hosting, edge runtime
• Supabase — database, auth, file storage
• Stripe — payments + Connect onboarding
• Anthropic (Claude) — AI generation
• Resend — transactional email delivery
• Twilio — phone verification + aftercare SMS
• Sentry — error monitoring
• PostHog — product analytics
• Cloudflare — bot mitigation (Turnstile)

• All multi-tenant data is protected by row-level security policies enforced at the database, not the application.
• HTTPS everywhere, HSTS preload, SameSite cookies.
• Stripe Elements / Checkout — we are PCI SAQ-A scope.
• Client funds for deposits flow Stripe-Connect direct to the artist's bank. coil never holds money for artists.

You can update, export, or delete your data at any time from the dashboard, or by emailing us. Account deletion clears every record we hold within 30 days.

California residents (CCPA) and EU/UK residents (GDPR) have additional rights — request, correction, deletion, portability, objection. Email us and we'll handle it. We don't sell data, so the standard CCPA “do not sell” toggle is moot here.

We use first-party cookies for sign-in and a small number of third-party analytics cookies (PostHog). No advertising cookies. No cross-site retargeting.

coil is not for anyone under 18. Tattooing minors is regulated separately wherever you operate; please follow your local rules.

We'll update this page when the substance changes and bump the date at the top. For account-affecting changes, we'll email you.

hello@coil.tattoo